ClawHub

Postproxy

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it gives an agent practical authority to upload local files, publish or schedule social posts, and delete posts without built-in confirmation guidance.

Install only if you are comfortable giving an agent a PostProxy API key for connected social accounts. Before any upload, publish, schedule, or delete action, require the agent to restate the exact post body, media file paths, target profiles, schedule time, and post ID, and only approve files you intentionally want sent to PostProxy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (11)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill enables networked actions that can create, publish, schedule, and delete social media content without any safety guidance, confirmation requirements, or warning that user data and local files may be sent to an external service. In an agent context, this increases the risk of unintended publication, destructive deletion, and inadvertent exfiltration of local media or sensitive content.

External Transmission

Medium
Category
Data Exfiltration
Content
### List Profiles
```bash
curl -X GET "https://api.postproxy.dev/api/profiles" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"
```
Confidence
92% confidence
Finding
curl -X GET "https://api.postproxy.dev/api/profiles" \ -H "Authorization: Bearer $POSTPROXY_API_KEY" ``` ### List Posts ```bash curl -X GET "https://api.postproxy.dev/api/posts" \ -H "Authorizati

External Transmission

Medium
Category
Data Exfiltration
Content
### List Profiles
```bash
curl -X GET "https://api.postproxy.dev/api/profiles" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"
```
Confidence
92% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### List Posts
```bash
curl -X GET "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"
```
Confidence
91% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Get Post
```bash
curl -X GET "https://api.postproxy.dev/api/posts/{id}" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"
```
Confidence
91% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Post (JSON with media URLs)
```bash
curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
96% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Post (File Upload)
Use multipart form data to upload local files:
```bash
curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -F "post[body]=Check out this image!" \
  -F "profiles[]=instagram" \
Confidence
97% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Draft
Add `post[draft]=true` to create without publishing:
```bash
curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -F "post[body]=Draft post content" \
  -F "profiles[]=twitter" \
Confidence
93% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Publish Draft
```bash
curl -X POST "https://api.postproxy.dev/api/posts/{id}/publish" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"
```
Confidence
96% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Schedule Post
Add `scheduled_at` to post object:
```bash
curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
94% confidence
Finding
https://api.postproxy.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
### Delete Post
```bash
curl -X DELETE "https://api.postproxy.dev/api/posts/{id}" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"
```
Confidence
96% confidence
Finding
https://api.postproxy.dev/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal